Update CyberSecurity Policy and Procedures for 2018
Broker-dealer and RIA firms are becoming more vulnerable to cyber threats everyday due to increased reliance on web-based solutions and mobile device activity. As a regulatory compliance consulting firm our staff can see the cybersecurity plan for BD’s and RIA’s becoming an increasingly important part of business strategy. Data theft by cyber-criminals, attacks by nation states or terrorist groups, hacktivists causing embarrassment, internal attacks from company insiders, employees or competitors; all present a viable threat to financial service businesses. Given the broad spectrum of threats, firms should closely monitor cyber activity at their firm and use methods outlined by FINRA and SEC for implementing their cyber-security program.
Elements of an effective Cybersecurity plan –
FINRA released a report in February 2015 outlining their expectations of a sound cybersecurity program. They included the following criteria;
- Cybersecurity Governance and Risk Management – A governance framework for decision making and handling issues; policies, processes, and relevant controls.
- CyberSecurity Risk Assessment – Conduct regular assessments to identify risks and threats; maintain an inventory of assets posing a risk; prioritize threat level and implement remediation where appropriate.
- Technical Controls – Protection of firm software and hardware, and data; penetration testing and encryption standards.
- Incident Response Planning – Procedures for identifying the threat level of a cybersecurity incident and escalating the crisis appropriately for an efficient resolution.
- Vendor Management – Risk-based analysis of vendors; analysis of cybersecurity threat from data sharing with third-party vendors.
- Staff Training – Training tailored to staff and business operations to include; testing, periodic training schedules, and remediation efforts.
- Cyber Intelligence and Information Sharing – Periodic evaluation of cyber threats, strategic objectives, and assessment of the firms’ ability to respond to breach or disruption.
- Cyber Insurance – Analysis of potential to offset remediation expense of a cyber-incident; regular review of coverage and objectives.
Regulators such as FINRA and SEC suggest using a risk-based approach to cybersecurity. This should be implemented along with use of industry frameworks and standards. An example of an acceptable industry framework is the one developed by NIST (National Institute of Standards & Technology), “Framework for Improving Critical Infrastructure CyberSecurity”. The NIST Framework is a flexible method designed around business needs, risk tolerance, and resources.
Below are 7 suggestions from RND Resources Inc. to improve cyber-security strategy for firms updating & reviewing cybersecurity initiatives for 2017-2018. These recommendations when implemented can ease anxiety about regulatory cybersecurity examination and improve chances of a smooth FINRA or SEC examination process.
- Appoint an executive leader to take ownership of the cybersecurity program for your firm.
- Review the FINRA released whitepaper on cybersecurity practices for broker-dealers and investment firms annually; including the FinCEN Suspicious Activity Report.
- Test the firms’ incident response plan (IRP) and make adjustments where appropriate.
- Review employee manuals regarding cybersecurity procedures and policies. Regularly update the employee cybersecurity manual to include new threats and risks.
- Maintain a written standard for employees to refer to in case of an incident. Be sure to distribute updated policy changes and include them in employee cybersecurity manual.
- Strategize a training program that includes testing criteria for each job description and department. Recognize the majority of cyber-incidents are attributed to carelessness, ill-will, or lack of staff training. Test employees on using the plan; periodically, randomly, and without warning.
- Develop standards for on-boarding vendor service providers who have been given access to electronic data. Annually review each third party vendors cybersecurity policy and determine their risk to your firms electronic data security.
Going forward with cybersecurity initiatives
In August 2017 the SEC released a National Exam Program Risk Alert from the Office of Compliance Inspections and Examinations (OCIE). The release detailed findings from cybersecurity examinations of BD and RIA firms conducted 2014 through 2016. Weaknesses uncovered in the Cybersecurity 2 Initiative examinations conducted and areas where the OCIE sees potential for improvement are to follow –
- While nearly all BD’s and RIA’s examined have maintained written policy manuals, many were not reasonably tailored to the firm. Examiners found manuals were too general, vague, or limited in defining examples and best practices. They noted manuals vaguely described procedures for initiating a cyber incident response.
- While firms had devised cybersecurity policy, many were not adhered to. For instance, annual reviews were not conducted annually. Testing of security protocols were never conducted or rarely improved upon. Some instruction manuals were structured too poorly relative to their critical purpose.
- With regards to Regulation S-P, “Privacy and Protection of Consumer Financial Information”, installation of software updates and patches were not timely. Poorly maintained or outdated systems put consumer data at risk and pose an unreasonable threat to consumer data. Further, discoveries made from system penetration tests were not remediated in a timely manner.
In further explanation of sound cybersecurity policy and procedures the OCIE and SEC offers the following suggestions;
Maintain an inventory of data, information, and vendors having access to data. Include classification of risks, data, business consequences, and service provider information.
Keep a cybersecurity log to track events and include instructions for; conducting penetration tests, monitoring and auditing security, restricting access rights for employees and vendors, recording incidents and outcomes.
Maintain a schedule of testing data systems for integrity and vulnerability. Use a log to track patch updates and steps taken to implement upgrades.
Enforce established controls. Detail logs showing enforced restrictions and controls such as password change schedules. Require activity logs from service provider vendors demonstrating proof of cybersecurity protocol. Implement same day expiration of access upon terminating employees. Enforce employee acceptable use policy.
Implement mandatory employee training on system use and cybersecurity protocol at on-boarding and periodically thereafter.
RND Resources Inc is an outsourced solution for small broker-dealer and RIA firms that are highly focused on growth strategy and business development and do not have the capacity to handle critical components of their cybersecurity framework and governance program. Our professional staff is adept at preparing your cybersecurity program and updating existing manuals to meet current trends and threats. We strive for vertically integrated compliance solutions which are tailored to flow with your business model and meet your firms overall business objectives. We encourage firms to reach out to us for assistance when updating their cybersecurity program or planning cybersecurity policy and procedures for a startup BD or RIA. RND Resources Inc – Ph: 818.657.0288